ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tdd Helper

v0.1.0

Lightweight helper to enforce TDD-style loops for non-deterministic agents.

0· 828·4 current·5 all-time
by@cerbug45
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (TDD helper) align with the included tdd.py, README, and SKILL.md. Required binaries (python3, pytest) are appropriate for running tests and the script; no unrelated credentials or system paths are requested.
Instruction Scope
SKILL.md and tdd.py stay within the stated purpose (run tests, optionally lint, then run a target command). However, the script executes TEST_CMD, LINT_CMD and the provided --run command with shell=True, which will run arbitrary shell commands — expected for a wrapper but important to note because it executes whatever command the agent or user supplies.
Install Mechanism
No install spec; this is instruction-only with a small included script. Nothing is downloaded or written to disk by an installer step.
Credentials
The skill requests no credentials and only optionally reads TEST_CMD, WARN_AS_ERROR, and LINT_CMD. Those env vars are reasonable for configurability, though they are not listed under requires.env in metadata (minor omission). No secrets are requested.
Persistence & Privilege
always is false and the skill does not request persistent/privileged presence or modify other skills. It can be invoked autonomously (platform default), which is expected for a developer helper but increases the risk if used by an agent without guardrails.
Assessment
This skill is internally consistent with its purpose, but note that tdd.py will execute whatever shell commands it is given (tests, linter, and the --run command) using shell=True. Before installing or enabling autonomous invocation: (1) ensure pytest and any linters are trusted and present, (2) avoid passing untrusted inputs into --run/TEST_CMD/LINT_CMD to prevent command injection, (3) consider restricting which commands an agent may ask this skill to run or use sandboxing (containers, timeouts) when running untrusted code, and (4) be aware optional env vars (WARN_AS_ERROR, TEST_CMD, LINT_CMD) control behavior though they're not declared in the metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk978dtsh8bf7g2xhfgrmdx3nh581aa19

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, pytest

Comments